More ransomware operations and state-sponsored threat groups have been leveraging the new AuKill hacking tool to deactivate targets' endpoint detection and response software prior to backdoor deployment, reports BleepingComputer. After deploying a vulnerable Windows Process Explorer driver dubbed "procexp.sys," AuKill moves to escalate privileges by spoofing the TrustedInstaller Windows Modules Installer service, according to a Sophos X-Ops report. Moreover, numerous threads are being launched by AuKill to disable security software. The findings also noted several versions of the hacking tool leveraged for Medusa Locker and LockBit ransomware deployment. "The tool was used during at least three ransomware incidents since the beginning of 2023 to sabotage the target's protection and deploy the ransomware. In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill just prior to deploying Lockbit ransomware," said Sophos X-Ops, which also noted the similarities between AuKill and the Backstab open-source tool.